berbew | 1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe
Size

112KB
MD5

64741c0ea1a0d27201c54ad00d2df2e5
SHA1

a101c93c8e87d1a0d6a39932a19d4b5303755346
SHA256

1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c
SHA512

5c5c991d4d8dea728acc77fe54981e0fe8a56ae70eaea9e52190d15790b74d0948a0f618998b144bbb2dce800762689c04e16060f7b106b4641596087d43fcee
SSDEEP

3072:GJh5c5fCNOm3Bmmie62yuK+73zPLHDfbXCM4+lc802eSQ:GuF+JJlc856

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pqknig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opdghh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofeilobp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Olmeci32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngmgne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pfolbmje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nljofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndcdmikd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npmagine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofnckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdifoehl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oddmdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 64 IoCs

pid	Process
4368	Npcoakfp.exe
3508	Ngmgne32.exe
4808	Nljofl32.exe
3676	Ndaggimg.exe
4660	Ngpccdlj.exe
4692	Njnpppkn.exe
2824	Nlmllkja.exe
1288	Ndcdmikd.exe
1744	Ngbpidjh.exe
4760	Nnlhfn32.exe
4104	Npjebj32.exe
3296	Ngdmod32.exe
1048	Nnneknob.exe
956	Npmagine.exe
2348	Ndhmhh32.exe
3380	Nfjjppmm.exe
1468	Olcbmj32.exe
748	Odkjng32.exe
3248	Oflgep32.exe
2464	Olfobjbg.exe
2876	Ocpgod32.exe
848	Ofnckp32.exe
5100	Olhlhjpd.exe
4080	Opdghh32.exe
1988	Ognpebpj.exe
1044	Onhhamgg.exe
520	Oqfdnhfk.exe
4616	Ocdqjceo.exe
4580	Ofcmfodb.exe
2500	Olmeci32.exe
1132	Oddmdf32.exe
648	Ofeilobp.exe
4500	Pnlaml32.exe
4516	Pqknig32.exe
4700	Pdfjifjo.exe
2412	Pfhfan32.exe
3608	Pnonbk32.exe
4088	Pdifoehl.exe
896	Pggbkagp.exe
2668	Pjeoglgc.exe
4456	Pmdkch32.exe
1140	Pqpgdfnp.exe
4988	Pcncpbmd.exe
4836	Pflplnlg.exe
4476	Pjhlml32.exe
3276	Pncgmkmj.exe
3512	Pqbdjfln.exe
4308	Pcppfaka.exe
5016	Pfolbmje.exe
4388	Pjjhbl32.exe
1944	Pmidog32.exe
4936	Pcbmka32.exe
1436	Pfaigm32.exe
3560	Pjmehkqk.exe
3692	Qmkadgpo.exe
2036	Qdbiedpa.exe
1456	Qgqeappe.exe
1736	Qnjnnj32.exe
3816	Qqijje32.exe
1620	Qgcbgo32.exe
4160	Ajanck32.exe
4820	Adgbpc32.exe
5040	Afhohlbj.exe
1376	Ajckij32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Opdghh32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	Qdbiedpa.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Chfgkj32.dll	Ngmgne32.exe
File created	C:\Windows\SysWOW64\Pfaigm32.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Pjmehkqk.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Npjebj32.exe	Nnlhfn32.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Olcbmj32.exe	Nfjjppmm.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File opened for modification	C:\Windows\SysWOW64\Ngmgne32.exe	Npcoakfp.exe
File created	C:\Windows\SysWOW64\Nnneknob.exe	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Olhlhjpd.exe	Ofnckp32.exe
File opened for modification	C:\Windows\SysWOW64\Ofcmfodb.exe	Ocdqjceo.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Nfjjppmm.exe	Ndhmhh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocdqjceo.exe	Oqfdnhfk.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pqpgdfnp.exe
File opened for modification	C:\Windows\SysWOW64\Pfolbmje.exe	Pcppfaka.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pdifoehl.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Afhohlbj.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Empblm32.dll	Ngdmod32.exe
File created	C:\Windows\SysWOW64\Olfobjbg.exe	Oflgep32.exe
File opened for modification	C:\Windows\SysWOW64\Pncgmkmj.exe	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Qmkadgpo.exe	Pjmehkqk.exe
File opened for modification	C:\Windows\SysWOW64\Qdbiedpa.exe	Qmkadgpo.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Ajanck32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Adgbpc32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6652	6564	WerFault.exe	229

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnpppkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npjebj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjjppmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onhhamgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhmhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjeoglgc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pflplnlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndcdmikd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npmagine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmdkch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdifoehl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdfjifjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqfdnhfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnlhfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjhbl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpaekf32.dll"	Onhhamgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjmehkqk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qciaajej.dll"	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngbpidjh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifoihl32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pjjhbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njnpppkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngdmod32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elocna32.dll"	Pnlaml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pflplnlg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfiei32.dll"	Pcppfaka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndcdmikd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pdifoehl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmkadgpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlmllkja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgnkd32.dll"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocpgod32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onhhamgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pqknig32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 4368	4464	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe	87
PID 4464 wrote to memory of 4368	4464	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe	87
PID 4464 wrote to memory of 4368	4464	1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe	87
PID 4368 wrote to memory of 3508	4368	Npcoakfp.exe	88
PID 4368 wrote to memory of 3508	4368	Npcoakfp.exe	88
PID 4368 wrote to memory of 3508	4368	Npcoakfp.exe	88
PID 3508 wrote to memory of 4808	3508	Ngmgne32.exe	89
PID 3508 wrote to memory of 4808	3508	Ngmgne32.exe	89
PID 3508 wrote to memory of 4808	3508	Ngmgne32.exe	89
PID 4808 wrote to memory of 3676	4808	Nljofl32.exe	90
PID 4808 wrote to memory of 3676	4808	Nljofl32.exe	90
PID 4808 wrote to memory of 3676	4808	Nljofl32.exe	90
PID 3676 wrote to memory of 4660	3676	Ndaggimg.exe	91
PID 3676 wrote to memory of 4660	3676	Ndaggimg.exe	91
PID 3676 wrote to memory of 4660	3676	Ndaggimg.exe	91
PID 4660 wrote to memory of 4692	4660	Ngpccdlj.exe	92
PID 4660 wrote to memory of 4692	4660	Ngpccdlj.exe	92
PID 4660 wrote to memory of 4692	4660	Ngpccdlj.exe	92
PID 4692 wrote to memory of 2824	4692	Njnpppkn.exe	93
PID 4692 wrote to memory of 2824	4692	Njnpppkn.exe	93
PID 4692 wrote to memory of 2824	4692	Njnpppkn.exe	93
PID 2824 wrote to memory of 1288	2824	Nlmllkja.exe	94
PID 2824 wrote to memory of 1288	2824	Nlmllkja.exe	94
PID 2824 wrote to memory of 1288	2824	Nlmllkja.exe	94
PID 1288 wrote to memory of 1744	1288	Ndcdmikd.exe	95
PID 1288 wrote to memory of 1744	1288	Ndcdmikd.exe	95
PID 1288 wrote to memory of 1744	1288	Ndcdmikd.exe	95
PID 1744 wrote to memory of 4760	1744	Ngbpidjh.exe	96
PID 1744 wrote to memory of 4760	1744	Ngbpidjh.exe	96
PID 1744 wrote to memory of 4760	1744	Ngbpidjh.exe	96
PID 4760 wrote to memory of 4104	4760	Nnlhfn32.exe	97
PID 4760 wrote to memory of 4104	4760	Nnlhfn32.exe	97
PID 4760 wrote to memory of 4104	4760	Nnlhfn32.exe	97
PID 4104 wrote to memory of 3296	4104	Npjebj32.exe	98
PID 4104 wrote to memory of 3296	4104	Npjebj32.exe	98
PID 4104 wrote to memory of 3296	4104	Npjebj32.exe	98
PID 3296 wrote to memory of 1048	3296	Ngdmod32.exe	99
PID 3296 wrote to memory of 1048	3296	Ngdmod32.exe	99
PID 3296 wrote to memory of 1048	3296	Ngdmod32.exe	99
PID 1048 wrote to memory of 956	1048	Nnneknob.exe	100
PID 1048 wrote to memory of 956	1048	Nnneknob.exe	100
PID 1048 wrote to memory of 956	1048	Nnneknob.exe	100
PID 956 wrote to memory of 2348	956	Npmagine.exe	101
PID 956 wrote to memory of 2348	956	Npmagine.exe	101
PID 956 wrote to memory of 2348	956	Npmagine.exe	101
PID 2348 wrote to memory of 3380	2348	Ndhmhh32.exe	103
PID 2348 wrote to memory of 3380	2348	Ndhmhh32.exe	103
PID 2348 wrote to memory of 3380	2348	Ndhmhh32.exe	103
PID 3380 wrote to memory of 1468	3380	Nfjjppmm.exe	104
PID 3380 wrote to memory of 1468	3380	Nfjjppmm.exe	104
PID 3380 wrote to memory of 1468	3380	Nfjjppmm.exe	104
PID 1468 wrote to memory of 748	1468	Olcbmj32.exe	105
PID 1468 wrote to memory of 748	1468	Olcbmj32.exe	105
PID 1468 wrote to memory of 748	1468	Olcbmj32.exe	105
PID 748 wrote to memory of 3248	748	Odkjng32.exe	106
PID 748 wrote to memory of 3248	748	Odkjng32.exe	106
PID 748 wrote to memory of 3248	748	Odkjng32.exe	106
PID 3248 wrote to memory of 2464	3248	Oflgep32.exe	108
PID 3248 wrote to memory of 2464	3248	Oflgep32.exe	108
PID 3248 wrote to memory of 2464	3248	Oflgep32.exe	108
PID 2464 wrote to memory of 2876	2464	Olfobjbg.exe	109
PID 2464 wrote to memory of 2876	2464	Olfobjbg.exe	109
PID 2464 wrote to memory of 2876	2464	Olfobjbg.exe	109
PID 2876 wrote to memory of 848	2876	Ocpgod32.exe	110

C:\Users\Admin\AppData\Local\Temp\1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe
"C:\Users\Admin\AppData\Local\Temp\1996b2216845a0940805af35b62c214be192d857793c2955ebb004cf0985b93c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\SysWOW64\Npcoakfp.exe
  C:\Windows\system32\Npcoakfp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\SysWOW64\Ngmgne32.exe
    C:\Windows\system32\Ngmgne32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SysWOW64\Nljofl32.exe
      C:\Windows\system32\Nljofl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\SysWOW64\Ndaggimg.exe
        
        C:\Windows\system32\Ndaggimg.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Njnpppkn.exe
        
        C:\Windows\system32\Njnpppkn.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Nlmllkja.exe
        
        C:\Windows\system32\Nlmllkja.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Ndcdmikd.exe
        
        C:\Windows\system32\Ndcdmikd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Ngbpidjh.exe
        
        C:\Windows\system32\Ngbpidjh.exe
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Nnlhfn32.exe
        
        C:\Windows\system32\Nnlhfn32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Npjebj32.exe
        
        C:\Windows\system32\Npjebj32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Ngdmod32.exe
        
        C:\Windows\system32\Ngdmod32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Npmagine.exe
        
        C:\Windows\system32\Npmagine.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Ndhmhh32.exe
        
        C:\Windows\system32\Ndhmhh32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Nfjjppmm.exe
        
        C:\Windows\system32\Nfjjppmm.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Olcbmj32.exe
        
        C:\Windows\system32\Olcbmj32.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\SysWOW64\Olfobjbg.exe
        
        C:\Windows\system32\Olfobjbg.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ocpgod32.exe
        
        C:\Windows\system32\Ocpgod32.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ofnckp32.exe
        
        C:\Windows\system32\Ofnckp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:848
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Opdghh32.exe
        
        C:\Windows\system32\Opdghh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4080
        
        C:\Windows\SysWOW64\Ognpebpj.exe
        
        C:\Windows\system32\Ognpebpj.exe
        26⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\Onhhamgg.exe
        
        C:\Windows\system32\Onhhamgg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Oqfdnhfk.exe
        
        C:\Windows\system32\Oqfdnhfk.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:520
        
        C:\Windows\SysWOW64\Ocdqjceo.exe
        
        C:\Windows\system32\Ocdqjceo.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4616
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:648
        
        C:\Windows\SysWOW64\Pnlaml32.exe
        
        C:\Windows\system32\Pnlaml32.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Pqknig32.exe
        
        C:\Windows\system32\Pqknig32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Pdfjifjo.exe
        
        C:\Windows\system32\Pdfjifjo.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\Pnonbk32.exe
        
        C:\Windows\system32\Pnonbk32.exe
        38⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\SysWOW64\Pdifoehl.exe
        
        C:\Windows\system32\Pdifoehl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\Pmdkch32.exe
        
        C:\Windows\system32\Pmdkch32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Pflplnlg.exe
        
        C:\Windows\system32\Pflplnlg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\Pcppfaka.exe
        
        C:\Windows\system32\Pcppfaka.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Pfolbmje.exe
        
        C:\Windows\system32\Pfolbmje.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\Pjjhbl32.exe
        
        C:\Windows\system32\Pjjhbl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Pmidog32.exe
        
        C:\Windows\system32\Pmidog32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\SysWOW64\Pcbmka32.exe
        
        C:\Windows\system32\Pcbmka32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Pjmehkqk.exe
        
        C:\Windows\system32\Pjmehkqk.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Qgqeappe.exe
        
        C:\Windows\system32\Qgqeappe.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3816
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        67⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        68⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        73⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5088
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        80⤵
        Modifies registry class
        
        PID:5204
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        81⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5244
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5292
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        83⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5336
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5408
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        85⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        86⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5512
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        87⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        88⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        89⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        90⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        91⤵
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        92⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5780
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        93⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5824
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        94⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5868
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        95⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5912
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        96⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        97⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        98⤵
        Modifies registry class
        
        PID:6040
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        99⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6088
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        100⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        102⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:5180
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        103⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        104⤵
        Modifies registry class
        
        PID:5308
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        105⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        106⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        107⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        108⤵
        Modifies registry class
        
        PID:5680
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        109⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5744
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        110⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        111⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5884
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        112⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5964
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        113⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6024
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6140
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        115⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        116⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        117⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        119⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        120⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5924
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        121⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        122⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5332
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        123⤵
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        124⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5344
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        126⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        128⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5156
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        129⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6180
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        130⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6236
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        131⤵
        Modifies registry class
        
        PID:6284
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        132⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6328
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        133⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:6372
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:6432
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        135⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:6476
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        136⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6520
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6564 -s 408
        138⤵
        Program crash
        
        PID:6652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6564 -ip 6564
1⤵
PID:6628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
112KB

MD5
fedd8c04ce445243fa10bd23e30a6e0e

SHA1
afd866810ad8d0970e35967e6daee94a3df4696d

SHA256
2e3d05f36f77e1fa929e89b4143fbf8f9f44389e471dde57bb6332fc5df2dd4b

SHA512
78b9f1ad44099927f8daeb67f88453a0ea9551a69d0c0eb7d66ea2c721ff43a5419cde6261cc46db40312abd0c455a5cd35b570974b8f08bd3ce3e8e675b75ae

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
112KB

MD5
9ef2abe4210f2b6bfe257e1e375041ea

SHA1
49cd8cb9a94cbf86bde8e87583eb6495dac7b0cf

SHA256
2a42731515a040c6bf78bbbbc734e665ff9f27561ff5d69afaace859497c6ce9

SHA512
3855632b32eae6afcbf7bfc394a42a62b98d81acf487e64e82da9b120b09e1349c36b76b5afe700c0f1a4d72bdf8b0ee4b51358c4374ca1c87007f72fe04dcbb

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
112KB

MD5
53dea23e9d62c5f9a9d35d8d3f16afe9

SHA1
c621b8c6cba7a2d01ae3a60730d28e691586a2c6

SHA256
3399a6e4a6a41da75eec4a69d036bcd1fe7c87f3e8229178b669ddfae52aa5da

SHA512
03186cf5a779f523ba141ed6dd1fde40ffb1a8ea8c518c71a838255f4e381c67d71b0e108533ec193d56ce19fb6620d24f7a8d009ad73534d720360138dc9813

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
112KB

MD5
6e8cabc3764a8213c4b57a93fb1ef725

SHA1
6843c9e7614399ccec2cb02f2f9d2e6d18f51e65

SHA256
688c20fe940ce9111de6b0df4150a591711824add1dd62b004aa4d5c79598f39

SHA512
44b1fdc8a3663ccf72544704083e091e3e4fdff43fb5074f37e12312e4a4576cfc7b900d9345c32e96e5ca705e7ca669af1957dc81cdc5b7b9b5dd25429ee272

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
112KB

MD5
d374a25903892f4123d3f47e717543f8

SHA1
c946ab0b4ad6847f334d05558fe3e4d0f0f0b93e

SHA256
3d064a221b5b5fe1bdcfdd7262044dd5d4adac0173aaa6efc21a176443ff57d5

SHA512
e9505f60d1d07e7a2d4a8d59615552e919f6e5a8e540a3c63aa3f761a9f446e0fbdb71beca57b64643433aaa2bb3408a2835d9a88dd369ad7244170d9548f1dd

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
64KB

MD5
a027ad4791d8912c89fd6ee3b5023212

SHA1
107bd82bdc210abedf846724e8a8d30c57d3fb87

SHA256
faabb1dbf00cc59e53348adfa4b6a958c8b28246cc171702709e707fd096e38a

SHA512
43d66b0f54b774bf89fdd0ee9e5f54b622ef1dd1ee75ffbc8ceb8862c7915cfad0b316c4940f93d6d16047f969c346d448d2f8697ad58f4d4a1f63e4f0465703

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
112KB

MD5
685c756bdad295154103c1e27a74a89c

SHA1
76f531ab912d3225df91cd1427d2ca03cfa1abf0

SHA256
0b3e26679127cd9fc67cfd8220eba8bbde62dac03e9123b4f0194bbb42f1cbd2

SHA512
c9576586942dcb53ba0d07bacd2139b2d62018dc48af567be7e5fad3d080c9dd56d950351f4b6344b77dc9bafc32cd5ddf8802b8f92f309f9a1cf7796cba3329

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
112KB

MD5
ceac38bb71e3d00e85b902afbd42f826

SHA1
00cd720516590de937a7b3bb040a9ab399eb37bd

SHA256
2b9a278ed6a659cea00ef51332f45a3482b671d7204cada521fdeca2606a991f

SHA512
a8d200a812acdf7341ec699dff9620c0ce5a313ac4061301f68532ec13f18c4551788c1f5f4f9e17560f6b80035261b79907a31cf6c02f3764acc00431199f77

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
112KB

MD5
b0d3e65d74c2e2442a44f9fb1e68c07f

SHA1
1cae2a0164fc45b34a2e53dc76e1adc0330b78ba

SHA256
3cd6474d86610c5301793b299d926471e33620afd63e3b161f65c247bbbf8ae6

SHA512
79cb02d74a5ae2bbcb1c72c098157999eb5d80879a90aa4fbce0a38f678d0217175990e6393d2f2ed032be2ceb527ae4d89e607b96b66b3988534c45c2fd0cdd

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
112KB

MD5
1f1dcabee10ecab08f9af447c4e64329

SHA1
3d2ba22f3c46bf3682a2e8d94e051255706db2f0

SHA256
3047ac14c2dda63a0ce934c82d2e505964d89e9ac116c392f6e97ab98f6a76cf

SHA512
f1482a2d1385d8e508aea73c11eab03492af22560edd5a890270ff1b99a45d9c9c64f7a9446c90d4ee98b1cf714b14c40bbeaeae0bbea1aacd52bd0cfdc2ff6f

Download Submit
C:\Windows\SysWOW64\Ndaggimg.exe

Filesize
112KB

MD5
1bad06c803ef10343f6884a9013459e4

SHA1
c9aec2f79b8475959bcc9e9417af05f188464d60

SHA256
937d60307612a85f36aae7ad03e9ee50e6b2d96b0b3e7713d3ec62c59eb367a2

SHA512
2c22a6fea2a4120acae741868c004b6c1d795cf1e697acd96d8108c38d8262a8ef9540690c20bc90d45951e8785b1a91207d8b1e04024dc618bde769a8422a0c

Download Submit
C:\Windows\SysWOW64\Ndcdmikd.exe

Filesize
112KB

MD5
47e764c7aa7c9e22169060428355e099

SHA1
6d7a36d59debf59a137d8884f8c409e5f2421457

SHA256
1acff7b652f4a1885ee26a40866e240937208620fc80fcd08faf70de84f265e0

SHA512
d20da18d4661fb6b8818bc7689f9a6860427d12768820e3bed389d1090e1750b5cc291f028761755ba4a5e87870e7893381feddbe57c5f3e7ebcd856366187dd

Download Submit
C:\Windows\SysWOW64\Ndhmhh32.exe

Filesize
112KB

MD5
47dd497b74cf8f724ee42b505eb3218c

SHA1
8150f79763249e741d2fcd79072654b54458bb54

SHA256
14a227d55891022bdb134beadc74a0f17cd1c2d3f9e44051e7076b2f3c77f621

SHA512
31cb16f0d3bdf69b427e0bd8c0f3b8d238c029f0cab9ca503605d2f9057829bc65c937701370f07f444ba6bf75ad44e6b8bb266df25778eebe744babe723cd3a

Download Submit
C:\Windows\SysWOW64\Nfjjppmm.exe

Filesize
112KB

MD5
b80e6ebabcdfc814fd0a9bd49611f9b7

SHA1
fea0896514385fe5bdc047312a82873f35aa3a77

SHA256
3f9f6faa2147e3c5220020751f59853b70a53e704a33e676d3b7d01d6588e734

SHA512
bbc6b422e9c58e00ab664746731ef5e4c2870a2ae9671b8cbfabe1242c711fbcc5f01c76e53a9401b19299f3e0e75e9e7379f57686f73382872f3d9d2632aeb4

Download Submit
C:\Windows\SysWOW64\Ngbpidjh.exe

Filesize
112KB

MD5
f0524c2d74b8c79121403a3c139295c0

SHA1
8dba75a44bd388bb1248d87f1426dbb83ac49503

SHA256
16dafb3a4609e548cfb61a2b3954beec3da5a5b32f84f112b9c57b39b1929a72

SHA512
5e712deb4a6cf417958aca86e6907632ddcc1b2af9c3771cdded4afbb17c47f584d3597de714c066f00ac3c14ed4adba61ce789e138f2744c8097bab5dba4466

Download Submit
C:\Windows\SysWOW64\Ngdmod32.exe

Filesize
112KB

MD5
0c99d747e50d7a090d82dc059c507a88

SHA1
21a23189d62fb68a46d37ef5ac5d7dd06d869189

SHA256
491a8c3ab72798fbee51c924b802764cd8c89f6aeda077ef7bae04521fa61b09

SHA512
8f2b7d4da3b2ffa9758ade0c58ec87141b7af0e1b693eac7ad8250ce6dfcda50c352494e9387f98f9b1f4797512520cea0e60d6b39d8ab9d57f81242ea713029

Download Submit
C:\Windows\SysWOW64\Ngmgne32.exe

Filesize
112KB

MD5
87d7fb814c49f1f72057939e8d2d68e8

SHA1
7e7eb951428167a1a8cfd7dedd096e30b309c6fc

SHA256
0bd0bdc2ff5a77e50be811933f2a9e295222a55d580aea1c5c02198569cebe15

SHA512
ad9e3c85e528bd67d7c784049062899c86dd958851eb22f3cd412d849085d15d66f432b1da6e891714d64fae1d7d82e590acce2249643ad354b016d6bead4c7d

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
112KB

MD5
91dff20bcb0b7345288e0c96ff5c9025

SHA1
b1fd6ff560201d8de6c38717d25af74fbb335cc1

SHA256
e176d5984ff1b7062fb85455d65bf0ace5934a791a156da31cc31bcf43511cf0

SHA512
023f31809a29853815e106c8b4aa66a823443a7799b859cd8b81a885cf018e319aed943a0d791ff78d8f293f2dee79a42518012f43360231a313a5d0ad5ff7a8

Download Submit
C:\Windows\SysWOW64\Njnpppkn.exe

Filesize
112KB

MD5
5224ac2de715a73a0b135471f92d65f9

SHA1
db07978bb1e4cf661af610bb63444b5c9f9828ec

SHA256
9f136d4e1b1704dade970c1222a21c36eb05b3b9d0b98394db5c37b660fac455

SHA512
cbd46a32b7a3ae0ec5164cf2ab9014d3cfa97e2614736825c767734280866187f2f581cecc5d3080256719cc3dd126891de6d04717c51b071a6b2fb72518e5f0

Download Submit
C:\Windows\SysWOW64\Nljofl32.exe

Filesize
112KB

MD5
aa8a3fec0342535a4a4de03532b3aa3d

SHA1
d042258fc804451a31e00961f92dffec1494c586

SHA256
b13f82c2f35f7b885e327e52115697e2c68bec9f1f3f9479532487d054a01d9e

SHA512
a9ebf95aca3e2037e888ebd6106c561fe06e9897a7c6c359544073b4d33fa6e35de5028e81c21b66183ae6c8f94cf6399422779acd6037ee58d0054c8d195eb7

Download Submit
C:\Windows\SysWOW64\Nlmllkja.exe

Filesize
112KB

MD5
e550909ddb7cd44b705a0b2570d8cfae

SHA1
ce1c13953335ebc9336a6e7a14c811301115caa4

SHA256
3493de493b0c05ed08a63531cbb2ad1225f196bebe285638694b82f498dab1e1

SHA512
375401d3cd1536fe10b96134c1f06c3c893f0bd7d07bc5589b174a0867cdc878e5fd98efffe27ea90ab0590f06e8bea2bfcb98f85b982508710cbbfc0478e497

Download Submit
C:\Windows\SysWOW64\Nnlhfn32.exe

Filesize
112KB

MD5
2dad61b34dc3ef4edcc77b22e2129f58

SHA1
857f8fb1b72e966aade975f77668b2f44219a242

SHA256
584091618ddd5e6be6f9551d71fa3b187d19880c7b56b196ac2d693b2516b802

SHA512
3dadabba94a3560b7ef1efc20324e1796510f344ea6aec97dddbcf0d3620ce257f73194259454e34d7766cf2677a7f1883fbef30ae3db573cdb4d791bd6982c3

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
112KB

MD5
f7ab931203c2d138b1d8976614e28623

SHA1
4d705cfcb8fc1549107a3a5ebdf3a2b1fb0ca5d8

SHA256
c5dec0012f53a72909cfd2eca45bd304a7865d115b2e43c41d89017b0179907d

SHA512
ea565a4b44f67f2790e594686cc22b8e9687214332652207cfe4ea0f7a4ab93544f25f20dbd53a0dc19d743834d59b50e3a225b1e7a57d2dc283697de0770084

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
112KB

MD5
56b8caaaaba1f83c0fe3e90defb2db6f

SHA1
8fde895010349bc6473c51c947201b56cfb94e0e

SHA256
a30512ca3ffd7aba5fa7b33e13edb60446958754cbd90e1f6eb3baf9f8207761

SHA512
096028402baf1bdda88cebcdf9c80667fa8cbd36b79ee8fe983c46c98820eebb3175d308fba1cbd9d151869b0032ec559c688d3638f14320a886794553c53ba0

Download Submit
C:\Windows\SysWOW64\Npjebj32.exe

Filesize
112KB

MD5
29bc72f9013291f622459c67f37d1218

SHA1
48ec736d89a55458d79707588c7a0ba3087b4b7e

SHA256
ed0dfe56306e69902f1e5a06437abc7f69e3c067d4bd436891011a59e8fa2cc1

SHA512
d6d671f8e8f0d3856151a2be50b17bb54bf9ea8aea9e234070d97f9be07d6376055773f3cdb3045828f3f5fb49283c1b7ab06aa64b2769485b97c68944a5dad1

Download Submit
C:\Windows\SysWOW64\Npmagine.exe

Filesize
112KB

MD5
77abedcf9c5e5c4472e17d0abb65b12d

SHA1
8f7ea0435fff0e0301914880aa3e9ee5e08926c4

SHA256
93d05b00f2397625ca7acfa0a138719546761b03b4d5484f3184cfb62456a067

SHA512
b8a9f48ea1be3ff0805f3554ae250c36203938fda75c1f8b8b18cc1485f7acb3e212132604803abc721b99c649f8d3bb3da7cbcb1cf98661939be4dc0cf2656c

Download Submit
C:\Windows\SysWOW64\Ocdqjceo.exe

Filesize
112KB

MD5
c89843c5ce63cbb9b2757a0dad7825c1

SHA1
2c1b88d8292abeb8bf991794f123687200f5329f

SHA256
ed858340e9e67a50c6b42b1991dd7aa15e9338ba2368c4cd6219ad6042e3b25a

SHA512
8f90e453b54d746353924a788ec1d4829ff33dde2996bb3eeefabc8e3f0071a413f5412c1509c27852e276aadf79c68be3d5b781b4fb4dd0b9d1bd642ddb41a2

Download Submit
C:\Windows\SysWOW64\Ocpgod32.exe

Filesize
112KB

MD5
4be0ff8c60291448ac814fa79dd34b17

SHA1
88bca6737c10e562e604cf1796d54edb328659f8

SHA256
717e08d2c00176a9e83717da5d358399c50cdbf45cfedd7238d07087fa995305

SHA512
aae72bed22e0b77d4308d539e295f850ce4d05bdd5afa9a9208b6588ad2fa3a91468ed9af014f2267c269f1acddb177f329f2903b16ebf7404c7ce74a63aabc3

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
112KB

MD5
b46d089b7680d0617300158d3b40111d

SHA1
5820906e388b8f0176c0b4f649c94facffc1b1f7

SHA256
619b1dab230a177b665992c0a967dff72cbb45bce0ba2f04779f224b1a34af4e

SHA512
a206db9f8f435901a962f77d8200a2b771dcbd41c35dd53ad6777a209fbd4c172b4f95ff405b4247158ec57697793a4fc1b27d0e304f61361c5a0b332dba7532

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
112KB

MD5
727e3bfb135f10ff8f24c28b554facf1

SHA1
c02122210c5628ec6568c4619574c9a793f63847

SHA256
851acbe78732f98e4cda74de73c76fecd1a86cca1c97393ad1a4d23e03fd5b62

SHA512
0b9c2460a962e5832be2b16d2d4ba0d3e6d0d3d155ed605d86f2ffb74b821ed4dbf2b35b01af39e6be0d6d2eb662f2181818f476c356f37f17331e4bcada400c

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
112KB

MD5
a60c78c581c0370f0e79a10ea1293fea

SHA1
6e8779a57971a2c759dac6aedc8f39fb74346d3b

SHA256
9404c6d75d688661ae121e82bf9bbe7fe848a48d81a722152b3382cf2a1f39c5

SHA512
f2d81ee91948ce9aba6719f14f5a7484ef945c9b184349a1ac3cfedfd0179590e80da264810f9a7eb90bb5990142f06b0d30232cca2f6b9c48ebfc268d919007

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
112KB

MD5
770b8b78aa62a530e25a13b7f9524d86

SHA1
06fa9ef15bd8452b451a5326a66961d2c82ed127

SHA256
4e544c0382e6627340734a7958cf5330635d03d4213a10eadf7a3240e20cfb74

SHA512
caefe0e3889fc99defee7666ed91261971929da728777554e9ae1f2a4c52976c0563dc710be41f94439492f1d286bc2424dabca2b7fcba120e60c604e184e1c7

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
112KB

MD5
d51ca8f6d25d2bade0c6090136b9a038

SHA1
8096560980776e52e6b31d1b656467ee4853eef0

SHA256
538bab108a56a5a15c4cb1256e4c94180300e2b53715d23a87bd21d8673fe82e

SHA512
d4ce07a235959ca21ba3bc7f9b87d545557ff3482128c098b0aa47ab1a4015382caf9215b29901025120b15067af3bf64a8da348524f4bd96b8481a11326cae4

Download Submit
C:\Windows\SysWOW64\Ofnckp32.exe

Filesize
112KB

MD5
7ec3a42625b972f70495471a28fdbc66

SHA1
9da8f31f8848849ed8e91dc3f30da596511d7a42

SHA256
0c9005ff1b110670ef8726cd656ca2937c5d57874c3767821a8e657858f580e4

SHA512
d01ccd627b8e9885658b678fc60575eda8c65c95adff3d04048184b337ed1273b6f9135b502f27ad1c90a037376a5fc991e289914edab0578fc90e1680079440

Download Submit
C:\Windows\SysWOW64\Ognpebpj.exe

Filesize
112KB

MD5
6dd39aab0e046bf29fa4cd568cd45150

SHA1
c5c6f63f53bdbedaf6693e67082079f26339ea5b

SHA256
11dbd43272979f2b08fb9d838a77166626f281220bae603244af3714f058b7be

SHA512
046b3c58f17ac91264623a1abae6b6f1602b3a3d9a50943b6fde07034d158e3b921a7504d7dff491b2c6770754c4e3a07abaf8545f7cc6bb016617735755f893

Download Submit
C:\Windows\SysWOW64\Olcbmj32.exe

Filesize
112KB

MD5
6e1bbcc718b0eb6927d9b36c636de06e

SHA1
0e06331cfffab4c9f145df4820d6d7d8ea613b5b

SHA256
393c197338800ace8db4aa5d8c26847355ac0bfeb1856d44ed1d54210d7bc769

SHA512
c1ca54028be0cd64a3aa6179edbde3aea3c67a1577801d491d84a8559c99c8688ff639cf901cda864979cfa5fe70d57e4d09e8e21c5e3d9bb50c679f2497f9b8

Download Submit
C:\Windows\SysWOW64\Olfobjbg.exe

Filesize
112KB

MD5
68fcd07649d94dcfed4b6531dee9d339

SHA1
0ed1b1483857cbb7a4d7a1270007ce86b1ad3039

SHA256
3f1c2cab334ebf925e81f8e73c6aafb7cc384f23f3e5ad75a609c31aa1b13cc5

SHA512
5382453e57374772e501e20d4996322aa8ee0db9cd958521dd1eb6c439f918d751fa62f9cd150d7be4f9ff8e0b7d8e3c174b2e2eddef8a098be5474acb254c2c

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
112KB

MD5
e902236aeb39b88bfec0e3da738a797c

SHA1
9f151527e491e5d9bcad097d6bc06b6264630047

SHA256
c8de8f72caa3fee0c4c0c7063a40bfc45facdee7c63b48eed07c11f3fbf11a3e

SHA512
acff031e661532ac3d37562f55f1a47371e02a000b5c4b75257529ef39aaacffe0e7e351f8da6aedf8940c980a6eea92b9c92d22d3a066a96affb0788eaf83ac

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
112KB

MD5
0014adb4527b3bd8a980a26cd7f3c020

SHA1
67a337a926224be33ce59a3cce79106d403b0e70

SHA256
39abccd13fb7d6a54f158e233daff73a0d0a894d9228167aaa4e63808a382def

SHA512
48c6ea4d220673e8d013a9facb18f87bd42898c61b430f2a0f95695273048a3e691a4e136b6f5d67d0d6b5ba38b1adac5515d19c77fe6e6d15fa33bf9e20b654

Download Submit
C:\Windows\SysWOW64\Onhhamgg.exe

Filesize
112KB

MD5
86a181299de51319c4bed4bbf165a37c

SHA1
8a866c566059465e36902566a94c53da8da702f8

SHA256
1e461b00902f7fc80ab84ba2a6fc844825fa9761ba2e1adb6776e6ac97426e5b

SHA512
a9fa6ac73d0d3905764b1a2fffea19ef353732dc20afd4b42aa46703f7f580c6200a8deb8de7ca161323ab1884cc45cf240f6dadf4c357e6b79123ec813da915

Download Submit
C:\Windows\SysWOW64\Opdghh32.exe

Filesize
112KB

MD5
37c0e8753849e8d30f26694f2adce41e

SHA1
e0118676660f881842b9f23a4b78302b3167558e

SHA256
25a2000864638e4e71d177ad75edb77bee6eb2417c3876ef614b835bf823f72a

SHA512
c088a131cfdd1eaf112eb91e4d21ad9fcea722229da2e055219e7c7e6a9e1120db4839f67c49125f4ff5f75bcc808ebc970463a33c3410e10e652915feb8bdde

Download Submit
C:\Windows\SysWOW64\Oqfdnhfk.exe

Filesize
112KB

MD5
b83cb38e38a1763e9548c8d9e61c1c0b

SHA1
d7a7816b1ebde3d023a8284675cb5643b3b1957f

SHA256
5194c11441a69a8c1be4ebf91d9adf501fae4f0b9439cfacd1b7e5efb8389389

SHA512
7d316f4c26b05f4f2eb530bfb0de9180c0af9be8a2beead3a0095ff7448ae31a8e0dcd35c9340ad3d5ba95c410ed5b08b2373cd6577a0f4f1396da3be960c9a6

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
112KB

MD5
df839424da37ac348490fd1c51cbd43e

SHA1
a1e648a92681fab3d3574cb408184ddc1dd17556

SHA256
caefb7dad4bad3defaf025f524747629590ee3a542d0c819352c38be459536a4

SHA512
fb5d24c817c16e46a52a56bf2232eabdff58c26b06063e762dc6f48459bad759a15037311f61984a531d60d82af6b42170aca67aa1fa5527b0cd1be10fee9cb1

Download Submit
C:\Windows\SysWOW64\Qjkmdp32.dll

Filesize
7KB

MD5
10eac135b2fb71408df578c859f08673

SHA1
b5ecb051f8981677aa929a031fceb88db27a29f1

SHA256
97409321743cf23fa818f955713a4c43b70bd0f4b89ee5082c6a51f84c72f8bc

SHA512
6b720c4b0096af2c6c7b8e0912b4c623461476b826f9ff58820f3956ab10b5ae206d58d26ab1a4f91e8907e82867e90f1a01437904d4fd6b48f342bc09d77ece

Download Submit
memory/520-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/648-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/748-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/848-175-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/896-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/956-116-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1044-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1140-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1288-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-448-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-382-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1456-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1468-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1620-424-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1736-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1744-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1816-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1944-370-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-524-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2284-518-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2348-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2412-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2464-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2500-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2548-526-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2652-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2668-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-593-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2876-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2924-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2968-460-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3248-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3276-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3316-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3380-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3444-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3508-558-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3508-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3512-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3560-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3608-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3676-572-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3816-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4080-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4104-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4160-430-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4200-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4308-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-551-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4388-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4456-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4464-544-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4476-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4500-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4516-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4580-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-579-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4660-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-586-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4700-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4760-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4808-565-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4820-436-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4836-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4936-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5040-442-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5088-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5164-532-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5204-538-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5244-545-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5292-552-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5336-559-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5408-570-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5464-573-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5512-580-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5556-587-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5600-594-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads